1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1909

[JENKINS:SECURITY-1909] Stored XSS vulnerability in `matrix-auth`

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

matrix-auth 2.6.1 and earlier does not escape user names shown in the permission table.
This results in a stored cross-site scripting (XSS) vulnerability.
When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission, otherwise by users with Overall/Administer permission.

matrix-auth 2.6.2 escapes user names in the permission table.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/matrix-auth <= 2.6.1
pkg:github/jenkinsci/matrix-auth-plugin <= 2.6.1
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/matrix-auth = 2.6.2
pkg:github/jenkinsci/matrix-auth-plugin = 2.6.2
ID
JENKINS:SECURITY-1909
Severity
high
Published
2020-07-15T00:00:00
(4 years ago)
Modified
2020-07-15T00:00:00
(4 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository matrix-auth repository https://github.com/jenkinsci/matrix-auth-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/matrix-auth org.jenkins-ci.plugins matrix-auth <= 2.6.1
Fixed pkg:maven/org.jenkins-ci.plugins/matrix-auth org.jenkins-ci.plugins matrix-auth = 2.6.2
Affected pkg:github/jenkinsci/matrix-auth-plugin jenkinsci matrix-auth-plugin <= 2.6.1
Fixed pkg:github/jenkinsci/matrix-auth-plugin jenkinsci matrix-auth-plugin = 2.6.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date